From d31318470bcfb236e2ed9356e0e61f34fe85cc80 Mon Sep 17 00:00:00 2001 From: Harry Huang Date: Mon, 28 Nov 2016 17:25:35 +0800 Subject: add congress support JIRA: COMPASS-367 add congress support in openstack_mitaka and openstack_newton_xenial Change-Id: I3aa19cb54081ad2300964955b899c1b56a875b25 Signed-off-by: Harry Huang --- .../roles/congress/files/congress.service | 19 + .../roles/congress/handlers/main.yml | 12 + .../roles/congress/tasks/congress_config.yml | 15 + .../roles/congress/tasks/congress_db.yml | 28 ++ .../roles/congress/tasks/congress_install.yml | 37 ++ .../roles/congress/tasks/main.yml | 16 + .../roles/congress/templates/api-paste.ini | 34 ++ .../roles/congress/templates/congress.conf | 510 +++++++++++++++++++++ .../roles/congress/templates/policy.json | 6 + .../roles/congress/vars/Debian.yml | 21 + .../roles/congress/vars/main.yml | 12 + .../roles/ha/templates/haproxy.cfg | 11 + .../roles/keystone/vars/main.yml | 55 ++- 13 files changed, 755 insertions(+), 21 deletions(-) create mode 100644 deploy/adapters/ansible/openstack_newton_xenial/roles/congress/files/congress.service create mode 100644 deploy/adapters/ansible/openstack_newton_xenial/roles/congress/handlers/main.yml create mode 100644 deploy/adapters/ansible/openstack_newton_xenial/roles/congress/tasks/congress_config.yml create mode 100644 deploy/adapters/ansible/openstack_newton_xenial/roles/congress/tasks/congress_db.yml create mode 100644 deploy/adapters/ansible/openstack_newton_xenial/roles/congress/tasks/congress_install.yml create mode 100644 deploy/adapters/ansible/openstack_newton_xenial/roles/congress/tasks/main.yml create mode 100644 deploy/adapters/ansible/openstack_newton_xenial/roles/congress/templates/api-paste.ini create mode 100644 deploy/adapters/ansible/openstack_newton_xenial/roles/congress/templates/congress.conf create mode 100644 deploy/adapters/ansible/openstack_newton_xenial/roles/congress/templates/policy.json create mode 100644 deploy/adapters/ansible/openstack_newton_xenial/roles/congress/vars/Debian.yml create mode 100644 deploy/adapters/ansible/openstack_newton_xenial/roles/congress/vars/main.yml (limited to 'deploy/adapters/ansible/openstack_newton_xenial') diff --git a/deploy/adapters/ansible/openstack_newton_xenial/roles/congress/files/congress.service b/deploy/adapters/ansible/openstack_newton_xenial/roles/congress/files/congress.service new file mode 100644 index 00000000..4ec26c8c --- /dev/null +++ b/deploy/adapters/ansible/openstack_newton_xenial/roles/congress/files/congress.service @@ -0,0 +1,19 @@ +[Unit] +Description=OpenStack Congress server +After= + +[Service] +User=root +Group=root +Type=simple +WorkingDirectory=/var/lib/congress +PermissionsStartOnly=true +ExecStartPre=/bin/mkdir -p /var/lock/congress /var/log/congress /var/lib/congress +ExecStartPre=/usr/bin/touch /var/log/congress/congress.log +ExecStart=/usr/local/bin/congress-server --config-file /etc/congress/congress.conf +Restart=on-failure +LimitNOFILE=65535 +TimeoutStopSec=15 + +[Install] +WantedBy=multi-user.target diff --git a/deploy/adapters/ansible/openstack_newton_xenial/roles/congress/handlers/main.yml b/deploy/adapters/ansible/openstack_newton_xenial/roles/congress/handlers/main.yml new file mode 100644 index 00000000..cf535a11 --- /dev/null +++ b/deploy/adapters/ansible/openstack_newton_xenial/roles/congress/handlers/main.yml @@ -0,0 +1,12 @@ +############################################################################## +# Copyright (c) 2016 HUAWEI TECHNOLOGIES CO.,LTD and others. +# +# All rights reserved. This program and the accompanying materials +# are made available under the terms of the Apache License, Version 2.0 +# which accompanies this distribution, and is available at +# http://www.apache.org/licenses/LICENSE-2.0 +############################################################################## +--- +- name: restart congress services + service: name={{ item }} state=restarted enabled=yes + with_items: services | union(services_noarch) diff --git a/deploy/adapters/ansible/openstack_newton_xenial/roles/congress/tasks/congress_config.yml b/deploy/adapters/ansible/openstack_newton_xenial/roles/congress/tasks/congress_config.yml new file mode 100644 index 00000000..f40d4c22 --- /dev/null +++ b/deploy/adapters/ansible/openstack_newton_xenial/roles/congress/tasks/congress_config.yml @@ -0,0 +1,15 @@ +############################################################################## +# Copyright (c) 2016 HUAWEI TECHNOLOGIES CO.,LTD and others. +# +# All rights reserved. This program and the accompanying materials +# are made available under the terms of the Apache License, Version 2.0 +# which accompanies this distribution, and is available at +# http://www.apache.org/licenses/LICENSE-2.0 +############################################################################## +--- +- name: congress db sync + shell: /usr/local/bin/congress-db-manage --config-file /etc/congress/congress.conf upgrade head + when: inventory_hostname == haproxy_hosts.keys()[0] + +- name: start congress service + shell: systemctl start congress.service diff --git a/deploy/adapters/ansible/openstack_newton_xenial/roles/congress/tasks/congress_db.yml b/deploy/adapters/ansible/openstack_newton_xenial/roles/congress/tasks/congress_db.yml new file mode 100644 index 00000000..1883509b --- /dev/null +++ b/deploy/adapters/ansible/openstack_newton_xenial/roles/congress/tasks/congress_db.yml @@ -0,0 +1,28 @@ +############################################################################## +# Copyright (c) 2016 HUAWEI TECHNOLOGIES CO.,LTD and others. +# +# All rights reserved. This program and the accompanying materials +# are made available under the terms of the Apache License, Version 2.0 +# which accompanies this distribution, and is available at +# http://www.apache.org/licenses/LICENSE-2.0 +############################################################################## +--- +- name: create congress db + mysql_db: + login_unix_socket: /var/run/mysqld/mysqld.sock + name: "{{ item.db }}" + state: present + with_items: "{{ credentials }}" + +- name: create congress db user + mysql_user: + login_unix_socket: /var/run/mysqld/mysqld.sock + name: "{{ item[0].user }}" + password: "{{ item[0].password }}" + priv: "*.*:ALL,GRANT" + host: "{{ item[1] }}" + state: present + with_nested: + - "{{ credentials }}" + - ['%', 'localhost'] + diff --git a/deploy/adapters/ansible/openstack_newton_xenial/roles/congress/tasks/congress_install.yml b/deploy/adapters/ansible/openstack_newton_xenial/roles/congress/tasks/congress_install.yml new file mode 100644 index 00000000..19eed11c --- /dev/null +++ b/deploy/adapters/ansible/openstack_newton_xenial/roles/congress/tasks/congress_install.yml @@ -0,0 +1,37 @@ +############################################################################## +# Copyright (c) 2016 HUAWEI TECHNOLOGIES CO.,LTD and others. +# +# All rights reserved. This program and the accompanying materials +# are made available under the terms of the Apache License, Version 2.0 +# which accompanies this distribution, and is available at +# http://www.apache.org/licenses/LICENSE-2.0 +############################################################################## +--- +- include_vars: "{{ ansible_os_family }}.yml" + +- name: install congress packages + pip: name={{ item }} state=present + with_items: packages + +- name: create congress etc directory + file: path=/etc/congress state=directory + +- name: update congress conf + template: src={{ item }} dest=/etc/congress/{{ item }} + backup=yes + with_items: + - congress.conf + - api-paste.ini + - policy.json + +- name: create congress service + copy: src=congress.service dest=/lib/systemd/system/ + +- name: create congress service work dir + file: path=/var/lib/congress state=directory + +- name: link the congress service + file: + src: /lib/systemd/system/congress.service + dest: /etc/systemd/system/multi-user.target.wants/congress.service + state: link diff --git a/deploy/adapters/ansible/openstack_newton_xenial/roles/congress/tasks/main.yml b/deploy/adapters/ansible/openstack_newton_xenial/roles/congress/tasks/main.yml new file mode 100644 index 00000000..f8056d15 --- /dev/null +++ b/deploy/adapters/ansible/openstack_newton_xenial/roles/congress/tasks/main.yml @@ -0,0 +1,16 @@ +############################################################################## +# Copyright (c) 2016 HUAWEI TECHNOLOGIES CO.,LTD and others. +# +# All rights reserved. This program and the accompanying materials +# are made available under the terms of the Apache License, Version 2.0 +# which accompanies this distribution, and is available at +# http://www.apache.org/licenses/LICENSE-2.0 +############################################################################## +--- +- include: congress_install.yml + +- include: congress_db.yml + when: + - inventory_hostname == haproxy_hosts.keys()[0] + +- include: congress_config.yml diff --git a/deploy/adapters/ansible/openstack_newton_xenial/roles/congress/templates/api-paste.ini b/deploy/adapters/ansible/openstack_newton_xenial/roles/congress/templates/api-paste.ini new file mode 100644 index 00000000..39be570b --- /dev/null +++ b/deploy/adapters/ansible/openstack_newton_xenial/roles/congress/templates/api-paste.ini @@ -0,0 +1,34 @@ +[composite:congress] +use = egg:Paste#urlmap +/: congressversions +/v1: congress_api_v1 + +[pipeline:congressversions] +pipeline = cors catch_errors congressversionapp + +[app:congressversionapp] +paste.app_factory = congress.api.versions:Versions.factory + +[composite:congress_api_v1] +use = call:congress.auth:pipeline_factory +keystone = cors request_id catch_errors authtoken keystonecontext congress_api +noauth = cors request_id catch_errors congress_api + +[app:congress_api] +paste.app_factory = congress.service:congress_app_factory + +[filter:request_id] +paste.filter_factory = oslo_middleware:RequestId.factory + +[filter:catch_errors] +paste.filter_factory = oslo_middleware:CatchErrors.factory + +[filter:keystonecontext] +paste.filter_factory = congress.auth:CongressKeystoneContext.factory + +[filter:authtoken] +paste.filter_factory = keystonemiddleware.auth_token:filter_factory + +[filter:cors] +paste.filter_factory = oslo_middleware.cors:filter_factory +oslo_config_project = congress diff --git a/deploy/adapters/ansible/openstack_newton_xenial/roles/congress/templates/congress.conf b/deploy/adapters/ansible/openstack_newton_xenial/roles/congress/templates/congress.conf new file mode 100644 index 00000000..0305b418 --- /dev/null +++ b/deploy/adapters/ansible/openstack_newton_xenial/roles/congress/templates/congress.conf @@ -0,0 +1,510 @@ +{% set memcached_servers = [] %} +{% set rabbitmq_servers = [] %} +{% for host in haproxy_hosts.values() %} +{% set _ = memcached_servers.append('%s:11211'% host) %} +{% set _ = rabbitmq_servers.append('%s:5672'% host) %} +{% endfor %} +{% set memcached_servers = memcached_servers|join(',') %} +{% set rabbitmq_servers = rabbitmq_servers|join(',') %} +[DEFAULT] + +# +# From congress +# +# The host IP to bind to (string tmq_serversvalue) +bind_host = {{ internal_ip }} + +# The port to bind to (port value) +# Minimum value: 0 +# Maximum value: 65535 +bind_port = 1789 + +# Thread pool size for eventlet. (integer value) +#max_simultaneous_requests = 1024 + +# Set this to true to enable TCP_KEEALIVE socket option on connections received +# by the API server. (boolean value) +#tcp_keepalive = false + +# Sets the value of TCP_KEEPIDLE in seconds for each server socket. Only +# applies if tcp_keepalive is true. Not supported on OS X. (integer value) +#tcp_keepidle = 600 + +# The path to the latest policy dump (string value) +policy_path = /etc/congress/policy.json + +# The file containing datasource configuration (string value) +#datasource_file = + +# The absolute path to the congress repo (string value) +#root_path = + +# The number of worker processes to serve the congress API application. +# (integer value) +#api_workers = 1 + +# The API paste config file to use (string value) +#api_paste_config = api-paste.ini + +# The type of authentication to use (string value) +auth_strategy = keystone + +# List of driver class paths to import. (list value) +drivers = congress.datasources.neutronv2_driver.NeutronV2Driver,congress.datasources.glancev2_driver.GlanceV2Driver,congress.datasources.nova_driver.NovaDriver,congress.datasources.keystone_driver.KeystoneDriver,congress.datasources.ceilometer_driver.CeilometerDriver,congress.datasources.cinder_driver.CinderDriver,congress.datasources.swift_driver.SwiftDriver,congress.datasources.plexxi_driver.PlexxiDriver,congress.datasources.vCenter_driver.VCenterDriver,congress.datasources.cloudfoundryv2_driver.CloudFoundryV2Driver,congress.datasources.murano_driver.MuranoDriver,congress.datasources.ironic_driver.IronicDriver + + +# The number of seconds to wait between synchronizing datasource config from +# the database (integer value) +#datasource_sync_period = 0 + +# Sets the flag to False if you don't want the congress to execute actions. +# (boolean value) +#enable_execute_action = true + +# The flag to use congress new distributed architecture.Don't set it to True in +# L release since the new architecture is under implementation. (boolean value) +#distributed_architecture = false + +# Explicitly specify the temporary working directory (string value) +#tempdir = + +# Make exception message format errors fatal (boolean value) +#fatal_exception_format_errors = false + +# +# From oslo.log +# + +# If set to true, the logging level will be set to DEBUG instead of the default +# INFO level. (boolean value) +# Note: This option can be changed without restarting. +debug = True + +# DEPRECATED: If set to false, the logging level will be set to WARNING instead +# of the default INFO level. (boolean value) +# This option is deprecated for removal. +# Its value may be silently ignored in the future. +#verbose = true + +# The name of a logging configuration file. This file is appended to any +# existing logging configuration files. For details about logging configuration +# files, see the Python logging module documentation. Note that when logging +# configuration files are used then all logging configuration is set in the +# configuration file and other logging configuration options are ignored (for +# example, logging_context_format_string). (string value) +# Note: This option can be changed without restarting. +# Deprecated group/name - [DEFAULT]/log_config +#log_config_append = + +# Defines the format string for %%(asctime)s in log records. Default: +# %(default)s . This option is ignored if log_config_append is set. (string +# value) +#log_date_format = %Y-%m-%d %H:%M:%S + +# (Optional) Name of log file to send logging output to. If no default is set, +# logging will go to stderr as defined by use_stderr. This option is ignored if +# log_config_append is set. (string value) +# Deprecated group/name - [DEFAULT]/logfile +log_file = congress.log + +# (Optional) The base directory used for relative log_file paths. This option +# is ignored if log_config_append is set. (string value) +# Deprecated group/name - [DEFAULT]/logdir +log_dir = /var/log/congress + +# Uses logging handler designed to watch file system. When log file is moved or +# removed this handler will open a new log file with specified path +# instantaneously. It makes sense only if log_file option is specified and +# Linux platform is used. This option is ignored if log_config_append is set. +# (boolean value) +#watch_log_file = false + +# Use syslog for logging. Existing syslog format is DEPRECATED and will be +# changed later to honor RFC5424. This option is ignored if log_config_append +# is set. (boolean value) +#use_syslog = false + +# Syslog facility to receive log lines. This option is ignored if +# log_config_append is set. (string value) +#syslog_log_facility = LOG_USER + +# Log output to standard error. This option is ignored if log_config_append is +# set. (boolean value) +#use_stderr = true + +# Format string to use for log messages with context. (string value) +#logging_context_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [%(request_id)s %(user_identity)s] %(instance)s%(message)s + +# Format string to use for log messages when context is undefined. (string +# value) +#logging_default_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [-] %(instance)s%(message)s + +# Additional data to append to log message when logging level for the message +# is DEBUG. (string value) +#logging_debug_format_suffix = %(funcName)s %(pathname)s:%(lineno)d + +# Prefix each line of exception output with this format. (string value) +#logging_exception_prefix = %(asctime)s.%(msecs)03d %(process)d ERROR %(name)s %(instance)s + +# Defines the format string for %(user_identity)s that is used in +# logging_context_format_string. (string value) +#logging_user_identity_format = %(user)s %(tenant)s %(domain)s %(user_domain)s %(project_domain)s + +# List of package logging levels in logger=LEVEL pairs. This option is ignored +# if log_config_append is set. (list value) +#default_log_levels = amqp=WARN,amqplib=WARN,boto=WARN,qpid=WARN,sqlalchemy=WARN,suds=INFO,oslo.messaging=INFO,iso8601=WARN,requests.packages.urllib3.connectionpool=WARN,urllib3.connectionpool=WARN,websocket=WARN,requests.packages.urllib3.util.retry=WARN,urllib3.util.retry=WARN,keystonemiddleware=WARN,routes.middleware=WARN,stevedore=WARN,taskflow=WARN,keystoneauth=WARN,oslo.cache=INFO,dogpile.core.dogpile=INFO + +# Enables or disables publication of error events. (boolean value) +#publish_errors = false + +# The format for an instance that is passed with the log message. (string +# value) +#instance_format = "[instance: %(uuid)s] " + +# The format for an instance UUID that is passed with the log message. (string +# value) +#instance_uuid_format = "[instance: %(uuid)s] " + +# Enables or disables fatal status of deprecations. (boolean value) +#fatal_deprecations = false + + +[cors] + +# +# From oslo.middleware.cors +# + +# Indicate whether this resource may be shared with the domain received in the +# requests "origin" header. Format: "://[:]", no trailing +# slash. Example: https://horizon.example.com (list value) +#allowed_origin = + +# Indicate that the actual request can include user credentials (boolean value) +#allow_credentials = true + +# Indicate which headers are safe to expose to the API. Defaults to HTTP Simple +# Headers. (list value) +#expose_headers = X-Auth-Token,X-OpenStack-Request-ID,X-Subject-Token,X-Service-Token + +# Maximum cache age of CORS preflight requests. (integer value) +#max_age = 3600 + +# Indicate which methods can be used during the actual request. (list value) +#allow_methods = GET,PUT,POST,DELETE,PATCH + +# Indicate which header field names may be used during the actual request. +# (list value) +#allow_headers = X-Auth-Token,X-OpenStack-Request-ID,X-Identity-Status,X-Roles,X-Service-Catalog,X-User-Id,X-Tenant-Id + + +[cors.subdomain] + +# +# From oslo.middleware.cors +# + +# Indicate whether this resource may be shared with the domain received in the +# requests "origin" header. Format: "://[:]", no trailing +# slash. Example: https://horizon.example.com (list value) +#allowed_origin = + +# Indicate that the actual request can include user credentials (boolean value) +#allow_credentials = true + +# Indicate which headers are safe to expose to the API. Defaults to HTTP Simple +# Headers. (list value) +#expose_headers = X-Auth-Token,X-OpenStack-Request-ID,X-Subject-Token,X-Service-Token + +# Maximum cache age of CORS preflight requests. (integer value) +#max_age = 3600 + +# Indicate which methods can be used during the actual request. (list value) +#allow_methods = GET,PUT,POST,DELETE,PATCH + +# Indicate which header field names may be used during the actual request. +# (list value) +#allow_headers = X-Auth-Token,X-OpenStack-Request-ID,X-Identity-Status,X-Roles,X-Service-Catalog,X-User-Id,X-Tenant-Id + + +[database] + +# +# From oslo.db +# + +# DEPRECATED: The file name to use with SQLite. (string value) +# Deprecated group/name - [DEFAULT]/sqlite_db +# This option is deprecated for removal. +# Its value may be silently ignored in the future. +# Reason: Should use config option connection or slave_connection to connect +# the database. +#sqlite_db = oslo.sqlite + +# If True, SQLite uses synchronous mode. (boolean value) +# Deprecated group/name - [DEFAULT]/sqlite_synchronous +#sqlite_synchronous = true + +# The back end to use for the database. (string value) +# Deprecated group/name - [DEFAULT]/db_backend +#backend = sqlalchemy + +# The SQLAlchemy connection string to use to connect to the database. (string +# value) +# Deprecated group/name - [DEFAULT]/sql_connection +# Deprecated group/name - [DATABASE]/sql_connection +# Deprecated group/name - [sql]/connection +connection = mysql+pymysql://congress:{{ CONGRESS_DBPASS }}@{{ db_host }}/congress + +# The SQLAlchemy connection string to use to connect to the slave database. +# (string value) +#slave_connection = + +# The SQL mode to be used for MySQL sessions. This option, including the +# default, overrides any server-set SQL mode. To use whatever SQL mode is set +# by the server configuration, set this to no value. Example: mysql_sql_mode= +# (string value) +#mysql_sql_mode = TRADITIONAL + +# Timeout before idle SQL connections are reaped. (integer value) +# Deprecated group/name - [DEFAULT]/sql_idle_timeout +# Deprecated group/name - [DATABASE]/sql_idle_timeout +# Deprecated group/name - [sql]/idle_timeout +#idle_timeout = 3600 + +# Minimum number of SQL connections to keep open in a pool. (integer value) +# Deprecated group/name - [DEFAULT]/sql_min_pool_size +# Deprecated group/name - [DATABASE]/sql_min_pool_size +#min_pool_size = 1 + +# Maximum number of SQL connections to keep open in a pool. Setting a value of +# 0 indicates no limit. (integer value) +# Deprecated group/name - [DEFAULT]/sql_max_pool_size +# Deprecated group/name - [DATABASE]/sql_max_pool_size +#max_pool_size = 5 + +# Maximum number of database connection retries during startup. Set to -1 to +# specify an infinite retry count. (integer value) +# Deprecated group/name - [DEFAULT]/sql_max_retries +# Deprecated group/name - [DATABASE]/sql_max_retries +#max_retries = 10 + +# Interval between retries of opening a SQL connection. (integer value) +# Deprecated group/name - [DEFAULT]/sql_retry_interval +# Deprecated group/name - [DATABASE]/reconnect_interval +#retry_interval = 10 + +# If set, use this value for max_overflow with SQLAlchemy. (integer value) +# Deprecated group/name - [DEFAULT]/sql_max_overflow +# Deprecated group/name - [DATABASE]/sqlalchemy_max_overflow +#max_overflow = 50 + +# Verbosity of SQL debugging information: 0=None, 100=Everything. (integer +# value) +# Minimum value: 0 +# Maximum value: 100 +# Deprecated group/name - [DEFAULT]/sql_connection_debug +#connection_debug = 0 + +# Add Python stack traces to SQL as comment strings. (boolean value) +# Deprecated group/name - [DEFAULT]/sql_connection_trace +#connection_trace = false + +# If set, use this value for pool_timeout with SQLAlchemy. (integer value) +# Deprecated group/name - [DATABASE]/sqlalchemy_pool_timeout +#pool_timeout = + +# Enable the experimental use of database reconnect on connection lost. +# (boolean value) +#use_db_reconnect = false + +# Seconds between retries of a database transaction. (integer value) +#db_retry_interval = 1 + +# If True, increases the interval between retries of a database operation up to +# db_max_retry_interval. (boolean value) +#db_inc_retry_interval = true + +# If db_inc_retry_interval is set, the maximum seconds between retries of a +# database operation. (integer value) +#db_max_retry_interval = 10 + +# Maximum retries in case of connection error or deadlock error before error is +# raised. Set to -1 to specify an infinite retry count. (integer value) +#db_max_retries = 20 + + +[keystone_authtoken] + +# +# From keystonemiddleware.auth_token +# + +# Complete "public" Identity API endpoint. This endpoint should not be an +# "admin" endpoint, as it should be accessible by all end users. +# Unauthenticated clients are redirected to this endpoint to authenticate. +# Although this endpoint should ideally be unversioned, client support in the +# wild varies. If you're using a versioned v2 endpoint here, then this should +# *not* be the same endpoint the service user utilizes for validating tokens, +# because normal end users may not be able to reach that endpoint. (string +# value) +auth_uri = http://{{ internal_vip.ip }}:5000 +auth_url = http://{{ internal_vip.ip }}:35357 +memcached_servers = {{ memcached_servers }} +project_name = service +password = {{ CONGRESS_PASS }} +username = congress +auth_type = password +# API version of the admin Identity API endpoint. (string value) + +# Do not handle authorization requests within the middleware, but delegate the +# authorization decision to downstream WSGI components. (boolean value) +#delay_auth_decision = false + +# Request timeout value for communicating with Identity API server. (integer +# value) +#http_connect_timeout = + +# How many times are we trying to reconnect when communicating with Identity +# API Server. (integer value) +#http_request_max_retries = 3 + +# Request environment key where the Swift cache object is stored. When +# auth_token middleware is deployed with a Swift cache, use this option to have +# the middleware share a caching backend with swift. Otherwise, use the +# ``memcached_servers`` option instead. (string value) +#cache = + +# Required if identity server requires client certificate (string value) +#certfile = + +# Required if identity server requires client certificate (string value) +#keyfile = + +# A PEM encoded Certificate Authority to use when verifying HTTPs connections. +# Defaults to system CAs. (string value) +#cafile = + +# Verify HTTPS connections. (boolean value) +#insecure = false + +# The region in which the identity server can be found. (string value) +#region_name = + +# Directory used to cache files related to PKI tokens. (string value) +#signing_dir = + +# Optionally specify a list of memcached server(s) to use for caching. If left +# undefined, tokens will instead be cached in-process. (list value) +# Deprecated group/name - [keystone_authtoken]/memcache_servers +#memcached_servers = + +# In order to prevent excessive effort spent validating tokens, the middleware +# caches previously-seen tokens for a configurable duration (in seconds). Set +# to -1 to disable caching completely. (integer value) +#token_cache_time = 300 + +# Determines the frequency at which the list of revoked tokens is retrieved +# from the Identity service (in seconds). A high number of revocation events +# combined with a low cache duration may significantly reduce performance. Only +# valid for PKI tokens. (integer value) +#revocation_cache_time = 10 + +# (Optional) If defined, indicate whether token data should be authenticated or +# authenticated and encrypted. If MAC, token data is authenticated (with HMAC) +# in the cache. If ENCRYPT, token data is encrypted and authenticated in the +# cache. If the value is not one of these options or empty, auth_token will +# raise an exception on initialization. (string value) +# Allowed values: None, MAC, ENCRYPT +#memcache_security_strategy = None + +# (Optional, mandatory if memcache_security_strategy is defined) This string is +# used for key derivation. (string value) +#memcache_secret_key = + +# (Optional) Number of seconds memcached server is considered dead before it is +# tried again. (integer value) +#memcache_pool_dead_retry = 300 + +# (Optional) Maximum total number of open connections to every memcached +# server. (integer value) +#memcache_pool_maxsize = 10 + +# (Optional) Socket timeout in seconds for communicating with a memcached +# server. (integer value) +#memcache_pool_socket_timeout = 3 + +# (Optional) Number of seconds a connection to memcached is held unused in the +# pool before it is closed. (integer value) +#memcache_pool_unused_timeout = 60 + +# (Optional) Number of seconds that an operation will wait to get a memcached +# client connection from the pool. (integer value) +#memcache_pool_conn_get_timeout = 10 + +# (Optional) Use the advanced (eventlet safe) memcached client pool. The +# advanced pool will only work under python 2.x. (boolean value) +#memcache_use_advanced_pool = false + +# (Optional) Indicate whether to set the X-Service-Catalog header. If False, +# middleware will not ask for service catalog on token validation and will not +# set the X-Service-Catalog header. (boolean value) +#include_service_catalog = true + +# Used to control the use and type of token binding. Can be set to: "disabled" +# to not check token binding. "permissive" (default) to validate binding +# information if the bind type is of a form known to the server and ignore it +# if not. "strict" like "permissive" but if the bind type is unknown the token +# will be rejected. "required" any form of token binding is needed to be +# allowed. Finally the name of a binding method that must be present in tokens. +# (string value) +#enforce_token_bind = permissive + +# If true, the revocation list will be checked for cached tokens. This requires +# that PKI tokens are configured on the identity server. (boolean value) +#check_revocations_for_cached = false + +# Hash algorithms to use for hashing PKI tokens. This may be a single algorithm +# or multiple. The algorithms are those supported by Python standard +# hashlib.new(). The hashes will be tried in the order given, so put the +# preferred one first for performance. The result of the first hash will be +# stored in the cache. This will typically be set to multiple values only while +# migrating from a less secure algorithm to a more secure one. Once all the old +# tokens are expired this option should be set to a single value for better +# performance. (list value) +#hash_algorithms = md5 + +# Authentication type to load (string value) +# Deprecated group/name - [keystone_authtoken]/auth_plugin +#auth_type = + +# Config Section from which to load plugin specific options (string value) +#auth_section = + + +[oslo_policy] + +# +# From oslo.policy +# + +# The JSON file that defines policies. (string value) +# Deprecated group/name - [DEFAULT]/policy_file +#policy_file = policy.json + +# Default rule. Enforced when a requested rule is not found. (string value) +# Deprecated group/name - [DEFAULT]/policy_default_rule +#policy_default_rule = default + +# Directories where policy configuration files are stored. They can be relative +# to any directory in the search path defined by the config_dir option, or +# absolute paths. The file defined by policy_file must exist for these +# directories to be searched. Missing or empty directories are ignored. (multi +# valued) +# Deprecated group/name - [DEFAULT]/policy_dirs +#policy_dirs = policy.d + +[oslo_messaging_rabbit] +rabbit_userid = {{ RABBIT_USER }} +rabbit_password = {{ RABBIT_PASS }} +rabbit_hosts = {{ rabbitmq_servers }} diff --git a/deploy/adapters/ansible/openstack_newton_xenial/roles/congress/templates/policy.json b/deploy/adapters/ansible/openstack_newton_xenial/roles/congress/templates/policy.json new file mode 100644 index 00000000..4476051d --- /dev/null +++ b/deploy/adapters/ansible/openstack_newton_xenial/roles/congress/templates/policy.json @@ -0,0 +1,6 @@ +{ + "context_is_admin": "role:admin", + "admin_only": "rule:context_is_admin", + "regular_user": "", + "default": "rule:admin_only" +} diff --git a/deploy/adapters/ansible/openstack_newton_xenial/roles/congress/vars/Debian.yml b/deploy/adapters/ansible/openstack_newton_xenial/roles/congress/vars/Debian.yml new file mode 100644 index 00000000..1cc4645e --- /dev/null +++ b/deploy/adapters/ansible/openstack_newton_xenial/roles/congress/vars/Debian.yml @@ -0,0 +1,21 @@ +############################################################################## +# Copyright (c) 2016 HUAWEI TECHNOLOGIES CO.,LTD and others. +# +# All rights reserved. This program and the accompanying materials +# are made available under the terms of the Apache License, Version 2.0 +# which accompanies this distribution, and is available at +# http://www.apache.org/licenses/LICENSE-2.0 +############################################################################## +--- +packages: + - congress + - python-congressclient + - python-cloudfoundryclient + +service: + - congress + +credentials: + - user: congress + db: congress + password: "{{ CONGRESS_DBPASS }}" diff --git a/deploy/adapters/ansible/openstack_newton_xenial/roles/congress/vars/main.yml b/deploy/adapters/ansible/openstack_newton_xenial/roles/congress/vars/main.yml new file mode 100644 index 00000000..f6fef749 --- /dev/null +++ b/deploy/adapters/ansible/openstack_newton_xenial/roles/congress/vars/main.yml @@ -0,0 +1,12 @@ +############################################################################## +# Copyright (c) 2016 HUAWEI TECHNOLOGIES CO.,LTD and others. +# +# All rights reserved. This program and the accompanying materials +# are made available under the terms of the Apache License, Version 2.0 +# which accompanies this distribution, and is available at +# http://www.apache.org/licenses/LICENSE-2.0 +############################################################################## +--- +packages_noarch: [] + +services_noarch: [] diff --git a/deploy/adapters/ansible/openstack_newton_xenial/roles/ha/templates/haproxy.cfg b/deploy/adapters/ansible/openstack_newton_xenial/roles/ha/templates/haproxy.cfg index c0a0747d..5fbcc9d9 100644 --- a/deploy/adapters/ansible/openstack_newton_xenial/roles/ha/templates/haproxy.cfg +++ b/deploy/adapters/ansible/openstack_newton_xenial/roles/ha/templates/haproxy.cfg @@ -190,6 +190,17 @@ listen proxy-aodh_api_cluster server {{ host }} {{ ip }}:8042 weight 1 check inter 2000 rise 2 fall 5 {% endfor %} +listen proxy-congress_api_cluster + bind {{ internal_vip.ip }}:1789 + bind {{ public_vip.ip }}:1789 + mode tcp + option tcp-check + option tcplog + balance source +{% for host,ip in haproxy_hosts.items() %} + server {{ host }} {{ ip }}:1789 weight 1 check inter 2000 rise 2 fall 5 +{% endfor %} + listen proxy-dashboarad bind {{ public_vip.ip }}:80 mode http diff --git a/deploy/adapters/ansible/openstack_newton_xenial/roles/keystone/vars/main.yml b/deploy/adapters/ansible/openstack_newton_xenial/roles/keystone/vars/main.yml index fa7841e0..baaf89e1 100644 --- a/deploy/adapters/ansible/openstack_newton_xenial/roles/keystone/vars/main.yml +++ b/deploy/adapters/ansible/openstack_newton_xenial/roles/keystone/vars/main.yml @@ -9,7 +9,6 @@ --- packages_noarch: - python-keystoneclient - - python3-keystoneclient services_noarch: [] os_services: @@ -17,9 +16,9 @@ os_services: type: identity region: RegionOne description: "OpenStack Identity" - publicurl: "http://{{ public_vip.ip }}:5000/v3" - internalurl: "http://{{ internal_vip.ip }}:5000/v3" - adminurl: "http://{{ internal_vip.ip }}:35357/v3" + publicurl: "http://{{ public_vip.ip }}:5000/v2.0" + internalurl: "http://{{ internal_vip.ip }}:5000/v2.0" + adminurl: "http://{{ internal_vip.ip }}:35357/v2.0" - name: glance type: image @@ -33,9 +32,9 @@ os_services: type: compute region: RegionOne description: "OpenStack Compute" - publicurl: "http://{{ public_vip.ip }}:8774/v2.1/%\\(tenant_id\\)s" - internalurl: "http://{{ internal_vip.ip }}:8774/v2.1/%\\(tenant_id\\)s" - adminurl: "http://{{ internal_vip.ip }}:8774/v2.1/%\\(tenant_id\\)s" + publicurl: "http://{{ public_vip.ip }}:8774/v2/%(tenant_id)s" + internalurl: "http://{{ internal_vip.ip }}:8774/v2/%(tenant_id)s" + adminurl: "http://{{ internal_vip.ip }}:8774/v2/%(tenant_id)s" - name: neutron type: network @@ -65,25 +64,25 @@ os_services: type: volume region: RegionOne description: "OpenStack Block Storage" - publicurl: "http://{{ public_vip.ip }}:8776/v1/%\\(tenant_id\\)s" - internalurl: "http://{{ internal_vip.ip }}:8776/v1/%\\(tenant_id\\)s" - adminurl: "http://{{ internal_vip.ip }}:8776/v1/%\\(tenant_id\\)s" + publicurl: "http://{{ public_vip.ip }}:8776/v1/%(tenant_id)s" + internalurl: "http://{{ internal_vip.ip }}:8776/v1/%(tenant_id)s" + adminurl: "http://{{ internal_vip.ip }}:8776/v1/%(tenant_id)s" - name: cinderv2 type: volumev2 region: RegionOne description: "OpenStack Block Storage v2" - publicurl: "http://{{ public_vip.ip }}:8776/v2/%\\(tenant_id\\)s" - internalurl: "http://{{ internal_vip.ip }}:8776/v2/%\\(tenant_id\\)s" - adminurl: "http://{{ internal_vip.ip }}:8776/v2/%\\(tenant_id\\)s" + publicurl: "http://{{ public_vip.ip }}:8776/v2/%(tenant_id)s" + internalurl: "http://{{ internal_vip.ip }}:8776/v2/%(tenant_id)s" + adminurl: "http://{{ internal_vip.ip }}:8776/v2/%(tenant_id)s" - name: heat type: orchestration region: RegionOne description: "OpenStack Orchestration" - publicurl: "http://{{ public_vip.ip }}:8004/v1/%\\(tenant_id\\)s" - internalurl: "http://{{ internal_vip.ip }}:8004/v1/%\\(tenant_id\\)s" - adminurl: "http://{{ internal_vip.ip }}:8004/v1/%\\(tenant_id\\)s" + publicurl: "http://{{ public_vip.ip }}:8004/v1/%(tenant_id)s" + internalurl: "http://{{ internal_vip.ip }}:8004/v1/%(tenant_id)s" + adminurl: "http://{{ internal_vip.ip }}:8004/v1/%(tenant_id)s" - name: heat-cfn type: cloudformation @@ -93,13 +92,21 @@ os_services: internalurl: "http://{{ internal_vip.ip }}:8000/v1" adminurl: "http://{{ internal_vip.ip }}:8000/v1" + - name: congress + type: policy + region: RegionOne + description: "OpenStack Policy Service" + publicurl: "http://{{ public_vip.ip }}:1789" + internalurl: "http://{{ internal_vip.ip }}:1789" + adminurl: "http://{{ internal_vip.ip }}:1789" + # - name: swift # type: object-store # region: RegionOne # description: "OpenStack Object Storage" -# publicurl: "http://{{ public_vip.ip }}:8080/v1/AUTH_%\\(tenant_id\\)s" -# internalurl: "http://{{ internal_vip.ip }}:8080/v1/AUTH_%\\(tenant_id\\)s" -# adminurl: "http://{{ internal_vip.ip }}:8080/v1/AUTH_%\\(tenant_id\\)s" +# publicurl: "http://{{ public_vip.ip }}:8080/v1/AUTH_%(tenant_id)s" +# internalurl: "http://{{ internal_vip.ip }}:8080/v1/AUTH_%(tenant_id)s" +# adminurl: "http://{{ internal_vip.ip }}:8080/v1/AUTH_%(tenant_id)s" os_users: - user: admin @@ -165,8 +172,15 @@ os_users: tenant: service tenant_description: "Service Tenant" + - user: congress + password: "{{ CONGRESS_PASS }}" + email: congress@admin.com + role: admin + tenant: service + tenant_description: "Service Tenant" + - user: demo - password: "{{ DEMO_PASS }}" + password: "" email: heat@demo.com role: heat_stack_user tenant: demo @@ -178,4 +192,3 @@ os_users: # role: admin # tenant: service # tenant_description: "Service Tenant" - -- cgit 1.2.3-korg